Jeremy Epstein

Ed Felten provides good advice on this blog about what to do in the wake of Heartbleed, and I’ve read some good technical discussions of the technical problem (see this for a particularly understandable explanation).

Update Apr 11: To understand what Heartbleed is all about, see XKCD. Best. Explanation. Ever.

In this brief posting, I want to look at a different angle – what’s the scope of the vulnerability? [Read more...]

An article in The Register explains what happened in the Aug 1 2012 Wall Street glitch that cost Knight Capital $440M, resulted in a $12M fine, nearly bankrupted Knight Capital (and forced them to merge with someone else). In short, there were 8 servers that handled trades; 7 of them were correctly upgraded with new software, but the 8th was not. A particular type of transaction triggered the updated code, which worked properly on the upgraded servers. On the non-upgraded server, the transaction triggered an obsolete piece of software, which behaved altogether differently. The result was large numbers of incorrect “buy” transactions.

Bottom line is that the cause of the failure was lack of careful procedures in how the software was deployed, coupled with a poor design choice that allowed a new feature to reuse a previously used obsolete option, which meant that the trigger (instead of being ignored of causing an error) caused an unanticipated result.

Reading recently about a vulnerability in Google Glass that can be exploited if a victim takes a picture of a malicious QR code made me think about one of the current trends in absentee balloting. A number of localities in the US are trying out absentee ballot schemes where a voter goes to a website and makes his/her choices through a web form, then prints out a ballot that contains his/her choices as a marked ballot plus a barcode (typically a 2D QR code). The ballot is then mailed back to the locality with whatever signature forms are required. When the ballot arrives at the locality, election officials scan the QR code to duplicate the ballot showing the voter’s choices, (hopefully) compare that the voter selections actually match the marks, and then the ballot goes forward. (Commercial products with this feature include Everyone Counts and Scytl.)[Read more...]

[The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.]

On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time.

One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.

To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.[Read more...]

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for "world" vs. specific countries - and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”

“But defending our freedom is not the job of our military alone. We must all do our part to make sure our God-given rights are protected here at home. That includes our most fundamental right as citizens: the right to vote. When any Americans – no matter where they live or what their party – are denied that right simply because they can’t wait for five, six, seven hours just to cast their ballot, we are betraying our ideals. That’s why, tonight, I’m announcing a non-partisan commission to improve the voting experience in America. And I’m asking two long-time experts in the field, who’ve recently served as the top attorneys for my campaign and for Governor Romney’s campaign, to lead it. We can fix this, and we will. The American people demand it. And so does our democracy.”

The White House announced that the commission will be led by Robert Bauer and Ben Ginsberg, attorneys for the Obama and Romney campaigns. According to the New York Times, the panel will include lawyers plus “election officials and customer service specialists — possibly from theme parks and other crowded places”.

I have no doubt that all of these are valuable areas where we need expertise in solving problems with long lines. But at the same time, it’s critical to recognize that any solution to solving problems will undoubtedly involve technology – and for that, there must be technologists on the panel. For example, if the panel determines that making it easier for people to register or check their address online is a good idea (which I expect will be one outcome), they need technical experts to help understand the security and privacy issues associated with such requirements.

My greatest fear is that the commission will blindly recommend internet voting as a cure-all. As readers of my postings on this blog know, internet voting has yet to show promise as a secure solution to voting, and it risks threatening everyone’s vote.

Here’s hoping that the yet-to-be-named members of the panel will include not just lawyers, election officials, and customer service specialists, but also a leading technical expert – and not someone from one of the other fields claiming technical expertise.

The past few days have revealed that the New York Times, Wall Street Journal, and Washington Post have all been hacked by Chinese government-affiliated organizations, for the purpose of spying on reporters. The Washington Post says that the attacks were detected over a year ago, and had been going on for at least a year before that. Commercial security products like anti-virus did not detect the malware, which isn’t surprising to anyone who is familiar with signature-based schemes. The attacks on major newspapers were significant enough that Krebs on Security quotes Gunnar Petersen saying it would be “more surprising would be a major newspaper outlet that wasn’t hacked by the Chinese”. (This in turn reminded me of the Nixon enemies list, where being omitted from the list was a sign that one was unimportant, and “Newsman Daniel Schorr and [actor] Paul Newman stated, separately, that inclusion on the list was their greatest accomplishment.”.)

So what does this have to do with voting? The NY Times story appeared on Jan 30. On Jan 29, I testified to the Virginia Senate Committee on Privileges and Elections hearing in opposition to SB 830 and 874. These two bills would require the Virginia State Board of Elections to allow military voters to cast their votes via the Internet. (The Patron (sponsor) of 874 said that it was not internet voting, but rather returning the ballot via electronic format, which is to say by email or web site. I fail to see the a meaningful difference between that an internet voting.)[Read more...]

The National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting (whew!) took place Nov. 27-29, 2012, at the Gaylord Hotel just outside Washington, DC. The SaTC program is NSF’s flagship for cybersecurity research, although it certainly isn’t the only NSF funding in this area. The purpose of this blog posting is to tell a bit about the event. While I’m one of the NSF program officers for SaTC, the following reflects my opinions, and does not necessarily speak for NSF. The program for the event was organized by Carl Landwehr and Lance Hoffman from George Washington University (with help from other people mentioned below), and logistics were handled by the Annapolis, MD, office of Vanderbilt University. I was the cat herder, but all the credit goes to the GWU, Vanderbilt, and other organizers.[Read more...]

The topic of how to handle security vulnerabilities has been discussed for years. Wikipedia defines responsible disclosure as:

Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months.

I spent Election Day in one of the command centers for the 866-OUR-VOTE hotline. The command center was accepting calls from New Jersey, Maryland, DC, and Virginia, but 95% of the technology issues were from Virginia. I was the designated “technology guy”, so pretty much everything that came through that center came to me. This gave me a pretty good perspective on the scope of issues. (I don’t know about the non-technology issues, although I heard discussions of issues like demanding more ID than is required, voter intimidation, etc.)

Following is a summary of what I saw. What’s most interesting is that if you divide things into “easy to solve” and “hard to solve”, the “easy to solve” ones are all in places using optical scan, and the “hard to solve” are all in places using DREs (colloquially known as “touch screens”, although not all of them are).[Read more...]

Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.